Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/29/2006
05:25 AM
50%
50%

Banking on Security

No tellers were harmed, no cash was removed... This social engineer was after logins and passwords

We were recently hired by a regional bank to assess its security. When negotiating the services agreement with the bank president we agreed to perform the standard network security penetration testing, but he insisted we also test the security awareness of the bank staff.

What he really wanted to discover was whether employees have become complacent in verifying credentials of the customers, but more importantly checking out the people who service the bank's needs. The bank had recently outsourced its IT functions, and although they were promised a dedicated technician by the outsourcing firm, the revolving door of technicians coming and going had become the standard.

After signing some legal boilerplate and "get out of jail free" paperwork, here's what we agreed to: Pose as a vendor, enter the facility, plug into the network, sniff traffic, look for login and passwords, then try to become domain administrator of the network.

Our first step was to select a vendor to impersonate. To keep the suspicion level down, it needed to be someone who'd use a computer or laptop once inside. To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. While discussing the possibilities of becoming a customer, our spy also inquired about the manager of the bank and the availability of that person in the event a question or problem arose. Days, times, and even a cellphone number was provided to our insider.

After reviewing the list of office equipment she retrieved, we decided the best person to enter the facility was a copier technician. The bank used digital multifunction devices so each copier worked as a local printer on the network. From there we looked into our cache of vendor clothing. We were fortunate to have a brand new denim shirt embroidered with the copier company logo. Being close to Halloween we thought it would be entertaining to throw on a fake beard or mustache but scrapped the idea when saw how bad it really looked. We then put together an assortment of tools and credentials.

Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things. After a few minutes in the device's editing program, we used a digital photo to create an identification card that looked official enough to be from the copier company.

Using our past experience with copier folks, we put together a giant silver briefcase on wheels, a mini-vacuum cleaner, and a few reams of paper. Inside the briefcase was our laptop, loaded with all the software tools needed to poke and probe their network.

On the day we planned to go in, I called the bank and indicated I was new to the copier company and wanted to get familiar with the machine to properly service the equipment. I indicated we could perform a preventive maintenance call at no charge to insure the quality of the prints and copies. The person at the bank agreed and thought it was a good idea. I requested her name in the event we needed to validate who we spoke to when we attempted to go in. Later that afternoon I stopped in at the bank with my new denim work shirt and a rolling briefcase full of gear in tow.

I entered the bank lobby and was immediately greeted by a woman in a small glass-paneled workspace. I mentioned we called earlier, dropped the contact's name, and indicated I was here to service the copier/printer. Without hesitation I was escorted to the machine and left unattended. To make it appear as if I were working on the device, I opened every panel on the machine, pulled all the trays out, and placed my laptop on the glass surface of the copier/printer.

I was approached by a few people who needed to make copies, I apologized for the inconvenience and said the machine might be down for 30-40 minutes. I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network. I started a few of our utilities and started sniffing the traffic on the network.

Within seconds I had a variety of logins and passwords, access to numerous shared folders, data, and administrative accounts. We usually single out a few of the key employees that might be considered important, i.e. bank president, vice president, and operations manager, and make a note of their logins and passwords. When I determined I had enough data I decided to snap a few digital images to throw into the report. I took a six or seven pictures, even utilized the flash with nobody questioning or asking why I was doing this.

In the event they asked, I figured I'd tell them we do this to document the cleanliness of the machine after we service it, primarily of complaints about the machine being covered and smudged in black toner.

Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine.

When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

Our effort required us to talk and interact with several people. At no time did anybody question who we are or call the vendor to confirm our identity.

Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.